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We show that the tasks of privacy amphfication against quantum adversaries and data 
compression with quantum side information are dual in the sense that the abihty to perform 
one imphes the abihty to perform the other. These are two of the most important primitives 
I in classical information theory, and are shown to be connected by complementarity and 

the uncertainty principle in the quantum setting. Applications include a new uncertainty 
principle formulated in terms of smooth min- and max-entropies, as well as new conditions 
for approximate quantum error correction. 
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INTRODUCTION 



Two of the most fundamental primitives in information theory are privacy amplification and data 
compression with side information, both of which involve manipulating the correlations between 
C ' two random variables Z and Y. Privacy amplification is the art of extracting that part of Z which 

^ ' is uncorrelated from Y. In particular, the goal is to extract uniform randomness, in the form of a 

random variable U, from an input Z in such a way that U is completely uncorrelated with Y. In 
a cryptographic setting Z might refer to a partially-random and partially-private key string, while 
. Y refers to knowledge held by an adversary. Meanwhile, the goal of data compression with side 

i information is essentially the opposite, to determine that part of Z which is not correlated with 

Y and to make this available as the compressed version of Z. More specifically, an encoder would 
I like to compress Z into a smaller random variable C such that a decoder can reconstruct Z given 

' both C and the side information Y. 

■ These two tasks have direct, purely quantum analogs in quantum information theory. Data 

compression with side information translates into distillation of entanglement between two quantum 
systems A and B using only classical communication (the analog of C). The quantum version of 
^ , privacy amplification is the removal of all correlations (both quantum and classical) between A 

^ I and B by actions taken only on A, such that the density matrix for system A is also transformed 

into a completely mixed state (the analog of C/). 

Moreover, in the purely quantum realm the two quantum tasks are dual to one another, a 
feature which has been fruitfully exploited to construct a whole family of quantum information 
processing protocols The duality holds for complementary quantum systems, in the sense that 
if it is possible to maximally entangle two systems A and B such that A itself is maximally mixed, 
then it is possible to completely decouple a maximally-mixed A from the complementary system 



R of B, and vice versa 18(. Two systems B and R are complementary, relative to system A, when 
the joint quantum state of ABR is a pure state, a state which always exists in principle. That is, 
two systems B and R are complementary relative to A when each one is the purifying system for 
the other and A^. 

In this paper we show that this duality also extends to the hybrid classical-quantum tasks of 
classical privacy amplification against quantum adversaries and classical data compression with 
quantum side information: The ability to perform one of the tasks implies the ability to perform 
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the other. Here we are interested in manipulating the correlations between a classical random 
variable Z and a quantum random variable, i.e. a quantum system B. Despite the hybrid nature 
of the resources, the analysis is still within the realm of quantum information theory, as we can 
and do imagine that Z is produced by measurement of the quantum system A. 

Complementary quantum systems still constitute an important part of the duality, and com- 
pression of Z given side information B implies privacy amplification against R and vice versa, 
just as in the purely quantum case. However, the duality takes on an additional complementary 
character, as the compression task is not dual to privacy amplification of Z against i?, but rather it 
is dual to privacy amplification of a complementary random variable, which we will call X, against 
R. Complementary random variables correspond to outcomes of measuring complementary ob- 
servables, observables like position and momentum for which complete certainty in the outcome of 
one observable implies complete uncertainty in the outcome of the other. In the present context, 
if the random variable Z is the result of measuring an observable Z^ on system A, then X is the 
result of measuring a complementary observable on A. In what follows we ignore the difference 
between an observable and random variable and simply call both Z^ (or X^). 

Of course, one of the pillars of quantum mechanics is that both measurements cannot be per- 
formed simultaneously. Because analysis of such complementary measurements can quickly become 
a maze of counter f actuals, let us describe the duality more precisely. We start with a pure quantum 
state ■0^^^ describing the three quantum systems A^ B, and R. Then we imagine a hypothetical 
Z^ measurement, say, and then design a protocol for data compression of the resulting classical 
random variable Z"^ given side information B. The protocol itself is real enough, and the dual- 
ity then states that if we instead perform the X"^ measurement, it is possible to repurpose the 
compression protocol to perform privacy amplification of the classical random variable X"^ against 
system R. The same is true in the reverse direction (modulo the caveats discussed below). We 
stress that only one of the two conjugate measurements Z"^ or X"^ is ever performed on we 
merely contemplate what would be possible had the other measurement been performed. 

There are two caveats regarding the duality that should be emphasized. First, we can only es- 
tablish a duality between protocols in which the privacy amplification function or data compression 
function is linear. This requirement stems from the need to interpret functions applied to X^ as 
operations on Z^ and vice versa. In general this is problematic, as X^ and Z"^ are complementary 
observables and therefore actions taken on one have unavoidable back-actions on the other, but 
linear functions will offer a way around this problem. 

Secondly, the duality does not hold in both directions for arbitrary states of ABR. As we 
shall see, the ability to perform data compression with side information (CSI) implies the ability 
to perform privacy amplification (PA). However, we can only show the converse when -0^^^ has 
one of two simple forms, either R is completely correlated with (a hypothetical measurement of) 
Z^ or B is completely correlated with (a hypothetical measurement of) X^. These restrictions 
and the asymmetry of the duality can be traced back to a recently proven form of the uncertainty 
principle and the fact that it only sets a lower limit on knowledge of complementary 

observables. Going from privacy amplification to data compression implicitly requires an upper 
limit, which we deal with by considering the equality conditions of the uncertainty principle, and 
these are shown to be exactly the two conditions named above. 

The remainder of the paper is devoted to elucidating the duality. In the next section we provide 
background on the two tasks, how protocols can be constructed using universal hashing, as well 
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as the details of one-shot protocols handling arbitrary inputs and rates that can be achieved in 
the case of asymptotically-many identical inputs. Then in Sec. IIIII we examine the "perfect" cases, 
that is, when is perfectly recoverable from B or R is completely uncorrelated with a uniformly 
random X^, and show that the duality immediately follows from a recently discovered form of 
the uncertainty principle. Use of the uncertainty principle helps explain the duality in a simplified 
setting and understand the reason for the second caveat above. 

As perfect correlation or uncorrelation is difficult to achieve in practice, we are ultimately more 
interested in the approximate case. In Sec. IIVI we investigate the duality in the approximate case 
and show that R is approximately uncorrelated with if is approximately recoverable from 
B, and vice versa. This serves as a stepping stone to studying full-fledged CSI and PA protocols, 
as taken up in Sec. |Vl Therein we show how CSI protocols utilizing linear hashing can be used 
to construct, and can be constructed from, linear-hashing based PA protocols. In the case of 
protocols designed for inputs consisting of asymptotically-many copies of a fixed resource state, 
the uncertainty principle of implies that the duality preserves optimality of protocols in that 

optimal CSI protocols can be transformed into optimal PA protocols, and vice versa. Combining 
this with recent results on one-shot CSI, this construction implies a new uncertainty principle 
formulated in terms of smooth min- and max-entropies, which we discuss in Sec. IVII along with 
additional applications and relations to other work. 



In order to describe protocols involving hybrid classical-quantum systems, it is convenient to 
work within the formalism of quantum mechanics. In this language, a classical random variable 
Z^ and quantum side information S can be described by the classical-quantum (cq) state 



where z are the possible values the random variable Z can take, with alphabet size d, pz is the 
probability that Z^ = z, and (/jf is the quantum state of S conditioned on the value of z. The A 
system is effectively classical in the sense that an an unconditional measurement in the \z) basis 
has no effect on the state; essentially it has already been measured. The measurement defines 
the Z^ observable, up to specifying the values of the possible outcomes, i.e. the position of the 
position observable. In the present context these values are irrelevant, as we are content with 
simply enumerating them. The subscript, here Z, indicates this is a cq state and which observable 
defines the classical basis. 

The entropy of the classical random variable Z^ given the quantum side information S is defined 



II. BACKGROUND 



A. Classical-Quantum States 
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In general, ijj can be thought of as the marginal of the pure state , where 



^^^^-x;vpri^)^kri^.r^ (3) 

2 = 

System T consists of two parts, T2 which purifies S for each value of z and Ti which purifies AST2. 
Here we name the systems S and T instead of B and R as in the introduction because in the 
subsequent sections B and R will take on both roles in different contexts. 

From the pure state we can still define the entropy of the classical random variable given 
S by first converting back to a cq state. We will often make use of the following definition: 

H{Z^\S)^AST^H{Z^\S)^AS. 

B. Privacy Amplification Against Quantum Adversaries (PA) 

Privacy amplification is the art of extracting a truly secret random variable, a secret key, from 
one partially known to an eavesdropper holding some side information 5. Functions performing 
privacy amplification are usually called extractors, the goal being to produce as much secret key 
as possible. Privacy amplification against adversaries holding classical information was introduced 
2, [3], and was extended to the case of quantum side information in 0, @, 15]. 



m 



Using ([T]) , the ideal output of privacy amplification would be a state for which Pz = \ and the 
iff are all independent of z and equal to one another. This last property implies that (/jf = ijj^ for 



all z. In 



15 ] Renner and Konig introduced an approximate notion of security and uniformity of Z^ 
which is universally composable, meaning that Z^ can safely be input into any other composable 
protocol, and the overall protocol is certain to be secure by virtue of its constituent parts being 
secure. This definition says that Z"^ is approximately secure if the trace distance to the ideal case 
^1 (S) is small, where = Tta [^2*^] • We will say that Z"^ is e-secure if 

Psccurc(^|5)^ = \ W^f - ^1 V'^lli < e. (4) 

Use of the trace distance \\M\\^ = Tv[/Wm] means that the actual e-secure Z can only be 
distinguished from the ideal, a perfect key, with probability at most e. 

Renner and Konig show that privacy amplification can produce an e-secure key of length (num- 
ber of bits) l^p^{Z^\S)^ given in terms of the smooth min-entropy [l^. [l5|: 

H^^^{Z^\S)^ _ 21og i + 2 < t^^{Z^\S)^ < H^l{Z^\S)^, (5) 

where e = ei -|- e2. For a precise definition of the smooth min-entropy, see Appendix [Bl 

The lower bound is established by constructing an extractor based on universal hashing. In 
this scheme the approximate key is created by applying a randomly chosen hash function / to Z^. 
The function is chosen from a universal family F of hash functions, each mapping a size d input 
alphabet to a size m output alphabet, such that for any pair of inputs zi and Z2 the probability of a 
collision of the outputs is no greater than if the function were chosen at random from all functions: 

Pr^[/(zi) = /(z2)]<^ Vzi,Z2. 



More properly, such a family is called a 2-universal family, since the outputs exhibit a weaker 
form of pairwise independence. Hash families whose outputs are truly pairwise independent are 
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called strongly 2-universal, a notion which can be easily extended to /c-wise independence. In the 
present context we shall focus on using linear hash functions, and since the family of all linear hash 



functions is universal, we can immediately apply the results of |l5l ]. 

Meanwhile, the upper bound applies to any conceivable privacy amplification protocol, and 
stems from properties of the min-entropy itself. In the asymptotic i.i.d. case of n — )■ oo copies of 
'ipz^ , the min-entropy tends to the more well-known von Neumann entropy, |5®")^®n — 



nH(Z'^\S)jp + O(ynlog^) 21], which implies that in this case universal hashing can produce 
approximate keys at the rate 



rpAW = lim lim i£pA(Z^^"|5®")v,«n = HiZ^\S)^, (6) 



and furthermore this rate is optimal. These results nicely conform with the intuitive understanding 
of H^:^^{Z^\S) and H{Z^\S) as uncertainties of Z^ given the side information S; the part of Z"^ 
unknown to S should be roughly of this size, so it is sensible that this amount can in fact be 
extracted by privacy amplification. 



C. Data Compression with Quantum Side Information (CSI) 

The problem of data compression with side information, also known as information- 
reconciliation, is to compress a random variable Z^ in such a way that it can later by recovered 
by the compressed version Z' together with the side information S. Unlike privacy amplification, 
this protocol has two components, a compressor and a decompressor, the goal of course being to 
compress the input to as few bits as possible. The case of classical side information was first solved 



for in the asymptotic i.i.d. scenario by Slepian and Wolf 19|, and a one-shot version was given by 



Renner and Wolf |16l. llTI]. The quantum i.i.d. version was studied by Winter 22] and Devetak and 



Winter 0] , and recently extended to the one-shot scenario by the present author 13 ] . 

The ideal output of such a scheme would be a cq state in which the were perfectly distin- 
guishable from one another, so that a corresponding measurement of S would perfectly reconstruct 
z. A suitable approximate notion is that there should exist some measurement Af for which 
the probability pguess{Z^\B) of successfully identifying z is large. When there does, we say z is 
e-recoverable from B in the sense that 

d-i 

Pg„ess(^^li?) = J^P.TV [Al^l] > 1 - e. (7) 

z=0 

The one shot result can be formulated in terms of the dual quantity to the min-entropy, the max- 
entropy, defined in Appendix |Bl The minimum number of bits £q^i{Z^\S)^ needed to compress 
Z^ such that it is e-recoverable from S and the compressed version is bounded by 

H^^{Z^\S)^ < £hs,{Z^\S)^ < i/^i,,(Z-4]5)^ + 21og^ + 4, (8) 

again for e = ei + 62- The upper bound is found by constructing a compressor using universal 
hashing and a decompressor using the so-called "pretty good measurement" , while the lower bound 
follows from properties of the max-entropy. Like the min-entropy, the max-entropy also tends to 
the von Neumann entropy in the limit of n — )■ 00 i.i.d. inputs. Defining the rate as in privacy 
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amplification, we obtain 

rcsi = lim lim i£csi(^^^"|5®")v,«" = HiZ^\S)^. (9) 

This reproduces the results of Devetak and Winter for the asymptotic i.i.d. case. Again this 
result conforms to the intuitive understanding of the conditional entropies. Since H^^^{Z^\S) and 
H{Z^\S)^ are in some sense 5's uncertainty of Z^, it is sensible that the compressor would have 
to augment the decompressor's information by this amount. 



III. DUALITY FROM THE UNCERTAINTY PRINCIPLE IN THE PERFECT CASE 



We now show that the ideal cases that either B is already perfectly correlated with Z^ or 
R is perfectly uncorrelated with are already dual by using a recently derived version of the 
uncertainty principle. Although using the uncertainty principle in this way will ultimately prove 
insufficient in the approximate case and when attemping to construct one protocol from the other, 
the analysis here serves to introduce the nature of the duality in a simplified setting, as well as 
understand the reasons behind the second caveat. 

As remarked in the introduction, the duality between PA and CSI exists for complementary 
observables Z^ and X^. Let us be more specific and define these observables to be the Weyl- 
Heisenberg operators Z = X]fc=o^*^ 1^) (^1 ^^'^ = Ylk=o 1^+^) (^1- Since they aren't Hermitian, 
these operators are not observables in the usual sense since the values they can take on are not real 
numbers. However, they each specify a basis of system A, enough to specify two measurements, 
which is is all we need here. The two are related by Fourier transform, since the eigenstates 
of X are simply \x) = -^X]f=o'^~^^ 1-^)- From this relation it is clear that the observables are 
complementary, as the result of Z^ measurement on an X"^ eigenstate is completely random, and 
vice versa. 

Now consider a recently-discovered form of the uncertainty principle , which quantifies 

uncertainty by entropy and includes the case of quantum side information, 

H{X^\R)^ + H{Z^\B)^>1. (10) 

This holds for arbitrary states pure or mixed. Loosely speaking, it states that the entropy 

R has about the result of measuring X^, plus the entropy B has about the result of measuring 
Z^, cannot be less than 1. Note that it is not possible to perform both of these measurements 
simultaneously, since the associated observables do not commute. Nevertheless, the uncertainty 
principle constrains what systems B and R can simultaneously "know" about the results of either 
measurement. 

Let us see how this can be used to show that perfect Z^ recovery from B implies perfect 
security from R. Consider an arbitrary pure state lip)"^^^, which we can write 

I i\ABR sr^ I — I \A\ \BR 



z 



BR 

XI 



using the Z^ basis \z)^ or the X"^ basis \x)^ . In the ideal case the states ip^ are perfectly 
distinguishable, and therefore H{Z'^\B)^ = 0. By the above this implies H{X^\R)^ = log2 d. 
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which can only occur if all the marginal states i}^ are identical. Hence R is completely uncorrelated 
with X^. Furthermore, H{Z^\B)^ = also implies that is uniformly distributed. Since the 
uncertainty principle holds for any state, we can also apply it to ip^^ . This yields = 
log2 d, meaning is uniformly distributed. Thus, X^ is an ideal key, uniformly distributed and 
completely uncorrelated with R. 

We cannot directly make use of the uncertainty principle for the converse, X"^ security from R 
implies Z"^ recoverability from B. Assuming the former, we have H{X'^\R) = 1. But this does 
not imply H{Z'^\B) = unless the uncertainty principle is tight. As an example, consider the 
d = 2 the state IV')^^^ = ^ (|0) + i |1))^ \ip)^^, for which H{Z^\B) = H{X^\R) = 1. On the 
other hand, if the uncertainty principle is tight, then it is immediate that H{X^\R) = 1 implies 
H{Z^\B) = and therefore the desired implication holds. 

Thus we are interested in the equality conditions for Eq. [101 The only currently known condi- 
tions are that (at least) one of H{X^\R)^, H{X^\B)^, H{Z^\R)^, or is zero [121, so 
that equality is met when the conditional entropies take on their extreme values. Put differently, 
the global state ifj^^^ must in some way be a cq state, be it between A and R, as in ^p^^ = ip^^ or 
or between A and B, as in = ip^^ or ipx^ ■ Moreover, there must be perfect correlation 
between the two systems in the sense that the conditional marginal states in either B ox R (which 
depend on the value of X^ or Z^) must be perfectly distinguishable. 

For completeness, we briefly recapitulate the argument here. Consider the case that 
H{Z^\B)^ = 0, which immediately implies H{X'^\R)^ > 1. S ince 1 is also an upper bound 
to the conditional entropy, it must be that H{X^\R)^ = 1 and the equality conditions are met. 
The same argument can be made starting from H{X^\R)^ = 0. The remaining two quantities 
H(^X^\B)^ and H[Z'^\R)^ are related by the complementary form of the uncertainty principle, 
obtained by interchanging either the complementary observables X^ and Z^ or the complementary 
systems B and R. The derivation in |12l ] simultaneously produces both forms of the uncertainty 
principle, meaning that satisfying the equality conditions for one implies the same for the other. 
Thus, the conditions H{X'^\B)^ = and H{Z^\R)^ = also lead to equality in ^TO\i . 

Observe that in the former case of H{X^\B) = and H{X^\R) = 1 we end up with H{X^\B) = 
H{Z^\B) = 0, which is a sufficient condition to have maximal entanglement between A and B, as 
discussed in [11]. In the other case we end up with H{Z'^\B) = H{Z'^\R) = and H{X'^\B) = 
H{X^\R) = 1, a a situation similar to that of a d = 2 GHZ state (|000) + |111))^^^. 



IV. DUALITY IN THE APPROXIMATE CASE 



In this section we examine the duality when Z is approximately recoverable from B or R 
is approximately independent of a nearly uniform X^. Unfortunately, the arguments using the 
uncertainty principle in the previous section cannot easily be modified to work in the approximate 
case, so here we present a more algebraic treatment. We start with Z^ recovery implies X^ 
security. 

Theorem 1. For an arbitrary pure state \^p) , suppose Pgness 

{Z^\B)^ > 1 - e. Th en 

Psecure {X^\R).^ < ^/2i. 

Proof. Start by performing the measurement coherently with a partial isometry JJ^^^^^ and an 
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ancillary system M. This transforms the state according to 



The ideal output would be 



ABMR /—I \A\ \ M I V BR 



\fz 



and computing the fidelity F{ip',(^) = \ {tp'\(,) \ between the two we find 

= ^Pz {iPz\\f^\(Pz 



yBR 



B 1,^ \BR 



Pguess- 

Here we have used the fact that ^fh > A for < A < 1. Now rewrite ^ using the complementary 
basis \x)^ in anticipation of measuring X^. The result is 

,(-\ABMR 1 xz I \M \ \BR 



X 



43Eis)"(^')"Ei-r-i9. 



X 

In the last line we have implicitly defined the state which is just with A replaced 

by M. It is easy to work out that the result of measuring and marginalizing over BM is the 
ideal output of privacy amplification of X"^ against R, namely 

X 

Since and are related by the isometry jjB^bm ^ measuring X^ and tracing out 

BM results in the same output for both input states. And because the fidelity cannot decrease 
under such a quantum operation (see Appendix |A]), this implies 

> 1 - e. 



Finally, fromE3we have Psccurc ( AT^ | i?) < Jl - F{iP^^, ^1^ iP^f < V2^. □ 
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As discussed in the previous section, there are two routes from e-security of against R to 
e-recovery of from B. The first case, when H{X^\B)^ = 0, was imphcitly used by Devetak 
and Winter in their construction of an entanglement distillation protocol achieving the so-called 
hashing bound 0]. The second case, H{Z'^\R)^ = has not, to our knowledge, been previously 
studied, but is more natural in the data compression scenario as it enforces the cq nature of the 
AB state. 

Theorem 2. // jV^)^^^ is such that psecuTe{X^\R)^ < e and either (a) H{X^\B)^ = or (b) 
H{Z^\R)^ = 0, then p^^^,,{Z^\B)^ > 1 - \/2i. 

Proof. Start with case (a), whose condition implies that |^)'^^'^ takes the form 

X 

where B = -61-62- Tracing out B gives the cq state -0^^ = qx \x) {x\^ ® i}^, and the condition 
PsecmeiX^\R)^ < € implies the fidelity of ip^^ with the ideal output exceeds 1 — e: 



X 



> 1 - e. 



To get to the second line we have used Uhlmann's theorem, with corresponding isometrics U^^'^^'^ 
for each state "d^, and the state ^ is the same as 1^)"^^^ with A replaced by M and B by 

B'. Now define the state 



x=0 

and observe that that = ^(^5^^, il^^V'^). Hence , IV')^^^) > 1-e, 

and converting to trace distance, we find D{ip^^^,^^^^) < y/2e. 
Applying the conditional isometry 

yB,B,^B,MB' ^ J2 \x) ® ;7t^^^'^^2 

X 

to \^)^^^ yields l^)"^ l^)''^^^^, and converting the result back to the \z) basis gives 

k)"^ \ IV') ^> where aritmetic inside the state vector is modulo d. Thus, the mea- 

surement 

J^B ^ y\BiB2^BiMB' yBiB2^BiMB' 

enables perfect recovery of z from B for the state But the measurement is a quantum 

operation, which cannot increase the trace distance, and the trace distance after a measurement 
is simply the variational distance of the resulting probability distributions. Therefore we can infer 
that 
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Working out the lefthand side of this equation, we find that pg^ess{Z\B)^ > 1 — V^. 
Now consider case (b), whose condition imphes can be written 

\ i\ABR / — \\A\ \Ri\ \BR2 

m = 2^VP^\z) \z) \<Pz) 

z 

Using the complementary basis for A gives the alternate form 

xz 

X z 

= 73El^)^^^)''M^r, (11) 

X 

where in the last hnc wc have imphcitly defined the state \9)^^. Observe that tjj^' is invariant 
under tlie action of {Z'-')^\ since = ^ T.xi^'')^^^^^^'^)'^^^ ■ ^^xt, compute tlie fidelity of ^pjf- 
with il^ ® V^, using the definition 6^ = (Z^)^i^^(Z^)t«i: 

x 

x 

Again psecmei^\R) < e implies V^) > 1 - e. Since we now have F{0^,ip^) > 

1 — e, it follows by Uhlmann's theorem that there exists an isometry U^^-^B g^^j^ iYisX 
{e\ U^^^^ IV')^^^ > 1 - e. Now consider the state 

\^^ABMR ^ ^ ^ \^)MBR 

X 

x,z,z' 
z 

from which z can obviously be recovered by measuring M. The overlap of this state with 

SO we should expect pguess{Z\B)^ to be large when using the 

measurement 

Indeed, converting the fidelity to trace distance and working out the variational distance just as 
before yields pgy^ess{Z\B)^ > 1 — \/2e. □ 



V. DUALITY FOR PROTOCOLS 



Having worked out the duality for approximate rccoverability or secrecy, we can now begin 
investigating how the duality works for protocols designed to transform arbitrary inputs to the 
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approximate case. Since the duality concerns transforming operations on X into operations on 
and vice versa, we first face the problem that operations on one necessarily affect the other 
in some way. By confining our analysis to PA and CSI protocols in which the outputs are linear 
functions of the inputs, we may avail ourselves of the stabilizer formalism, and this will enable us 
to ensure the back action from operations is consistent with the transformation we wish to 
implement, and vice versa. A short description of those aspects of the stabilizer formalism needed 
here is given in Appendix ICl We begin with the case of repurposing data compression into privacy 
amplification, as it is more straightforward. 

Theorem 3. Let "Pcsi ^ protocol for compressing of to a string C of £q^^ bits via a linear 
compression encoding map f : Z ^ C = {0, Ij^csi . If Z^ is e-recoverahle by the decoding map 
T) : {C,B) — )• Z' , then the encoder can be repurposed to extract [log2 dim(^)] — ^^^gj ^/2e-secure bits 
from X^ which are uncorrelated with R. 

Proof. First we embed system A into an integer number [log2 dim(A)] of qubits. Then, using the 
encoding map / we can define a subsystem decomposition A = AA using z = /(z) as detailed in 
Appendix O This enables us to write the input state 1^)"^^^ as 

z 

V^Pz(z,z) |Z) |Z) I'/'zCz.z)) ■ 

z,z 

Since z is e-recoverable from the combined system AB by definition of the protocol. Theorem [1] 
applies. Therefore x, the result of measuring encoded X operators on A, is e-secure against R. 
But X = g'_L(x), for gx_ related to / as in Appendix [Cl so g_L defines a key extraction function. As 
/ outputs a ^(^gj-bit string, the output of g^ must be a string of [log2 dim(^)] — £(^gj bits. □ 

Now we take up the converse. Again case (a) is similar to results found by Devetak and Winter 
in though, because they do not use linear functions, they cannot directly interpret their use of 
privacy amplification as data compression of an independently-defined complementary observable. 
We shall return to this issue at the end of this section. Reiterating the statement made prior 
to Theorem [21 case (b) is more naturally suited to the data compression with side information 
scenario, whose input a cq state by assumption. 

Theorem 4. LetV^p^ be a protocol for privacy amplification of X^ against R consisting of a linear 
extraction map g : X^ K = {0, 1}^pa and let the input be a pure state ij)^^^ such that either 
(a) H{X'^\B)^ = or (b) H{Z^\R)^ = 0. If Vpp^ produces ipp^ e-secure bits, then the extraction 
map can then be used to define a compressor and corresponding decoding map which together can 
be used to compress Z^ to \l0g2 dim(A)] — bits such that Z^ is y/2e-recoverable from the side 
information B and compressed version C . 

Proof. Start with case (a). Again we embed system A into = [log2 dim(yl)] bits for simplicitly. 
The input state has the form 

l,T,\ABi? , — \~\A\~\Bx\a \B2R 

X 

= E^/?^|x)^ |x)^ |x)^"^ |x)^^ 1^.)^^^, (12) 

x,x 
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where we have used the subsystem decomposition A = AA from x = g(x) and suppressed the 
dependence of x on (x, x). By assumption x is e-secure against R. Thus, Theorem [2] appUes to the 
division A | AS] 72, and there exists a measurement A^^ such that z is \/2e-recoverable from AB. 

Since A is not directly available to the decoder, we must break the measurement down into 
a compressor with classical output and subsequent measurement of B alone, conditional on this 
output. To do this, suppose A is measured in the Z basis, producing z, which results in the state 



Bi 



x,x 



with probability l/((i^ ~^pa)- ^ dependence drops out when tracing out the B systems, so the 
marginal states of R conditional on x are the same as in ()12p . Therefore, Theorem [2] implies z is 
e-recoverable from B alone for each value of z. Since the pair (z, z) fixes the value of z, z = f±{z) 
is a suitable compression map enabling e-recovery of z from B and C = f±{Z'^). 
Now consider case (b), whose input state is of the form 

m = Y.V^.\z)^\zf^\^y'^^^ (13) 

z 

X 



^BR2 



Here we have converted to the alternate form in the second equation, following (jlip . with \ = 
TliT, 1^)^^ I'/'z)^^^- For the third equation we again use the subsystem decomposition for A = 
AA as well as Ri = RiRi. By assumption, x is e-secure against R, so just as for case (a) Theorem[2] 
applies to the division ^|j4i?|i2 and implies there exists a measurement A^^ such that z is \/2e- 
recoverable from AB. 

This measurement can be broken down into a compression map with classical output followed by 
measurement of B alone following the technique used in the previous case. This time, we model the 
measurement quantum-mechanically, as the transformation |z)^^ — t- \z)^ However, from ()13p 

it is clear that the same effect can be achieved by the transformation |z) ^ — t- |z) followed by 
|z)^^ —7- |z)^^ In other words, there is no need to distribute z to -R, since R already has 

a copy. Thus, the effect of the measurement is simply to transfer ^ to C Using the function 
z = /_l(z) as the compressor therefore ensures that z, and hence z, is e-recoverable from {B,C). 

In both cases f± outputs — bits when g outputs £p^, completing the proof. □ 



VI. DISCUSSION & APPLICATIONS 

The reasons for restricting attention to linear hashing techniques in this analysis should now be 
more understandable. Since the duality between PA and CSI is meant to hold for complementary 
observables, it is not a priori clear that, e.g. a given privacy amplification function applied to X"^ 
has a well-defined action on Z^, let alone the desired one. However, the use of linear hashing to 
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deal with this problem is only shown here to be sufficient, not necessary, and it would be nice to 
understand more precisely under what circumstances this duality holds. 

This issue is somewhat subtle, and deserves further comment. By the results in Sec. IIVI once, 
say, privacy amplification of X"^ against R has been performed, it is certainly possible to define 
an appropriate complementary observable so that it is recoverable from B. However, this 
observable generally has nothing whatsoever to do with a complementary observable that we might 
have defined for the input to the privacy amplification procedure, and in particular, the two need 
not commute so as to be simultaneously well-defined. For instance, in 0], privacy amplification is 
used as the second step of an entanglement distillation protocol. Since the output is entangled, 
both and Z"^ complementary observables are recoverable from B. But these observables have 
nothing to do with complementary observables one would have defined for the input to the protocol, 
so one cannot say the PA procedure performs CSI. Thus, while e-security of X"^ and e-recovery 
of Z"^ always go hand in hand, it does not follow from that alone that PA and CSI protocols 
necessarily do, too. On the other hand, in many situations in quantum information processing, 
such as in this distinction is not important. 

Perhaps the most direct application of our results is a general entropic uncertainty relation 
formulated in terms of the smooth conditional min- and max-entropies 2j]. Using the upper 
bound of El Theorem [H and the lower bound of [5] for an input system whose dimension d is a 
power of two, we immediately obtain 



log2 d < H:^\X^\R)^ + W^,^{Z^\B)^ + 2 log ^ + 4 (14) 

for e = ei + £2- From the definition of the smoothed conditional max-entropy it follows that 
H^g^-^{Z^\B) < H^^.^^{Z'^\B) for e' > e, so if we choose ei = 62 = f and e = the above 
expression can be transformed into the more appealing form 

Hi,^{X^\R)^ + Hi^^^{Z^\R)^ > log, d - 8 log i - 12. (15) 

This extends the recent work on uncertainty principles valid in the presence of quantum mem- 
ory to the smooth min- and max-entropy. Due to the operational interpretations of these 
quantities 0], this relation should be useful in the analysis of quantum information processing 
protocols. 

Another application of this work is to a new approximate quantum error-correcting condition. 
This will be explored more fully in a future publication, but we can already give a brief overview 
here. Essentially, the quantum decoupling condition of [18[] mentioned in the introduction can be 
broken down into two classical pieces. That condition states that AB is maximally entangled when 
A is completely uncorrelated with the purification system R, and it is in a completely random state. 
Approximate quantum error-correcting procedures can then be constructed by approximately de- 
coupling R. The entanglement distillation procedure of Devetak and Winter [a] implicitly gives a 
different characterization, saying that AB is maximally entangled if Z"^ is recoverable from B and 
secure from R. Using the duality of these recover ability and security notions, there are in princi- 
ple two other equivalent characterizations of approximate entanglement, from which approximate 
quantum error-correcting procedures can likewise be constructed. The first one states that AB is 
maximally entangled if both X^ and Z^ are recoverable from B, a condition which was implicitly 
explored in ll|. The second is the classical decomposition of the quantum decoupling condition, 
that AB is entangled if both X^ and Z^ are secure from R, with the additional proviso that one 
of them, say X^, is secure not just from R, but from R together with a copy of Z^. 
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Appendix A: Fidelity and Trace Distance 

Here we recount some facts about the trace distance and fidelity. Proofs can be found in, e.g. 
[lo| . The trace distance D{p, a) between two quantum states p and a is defined by 

D{p,a) = ^\\p-a\\,, (Al) 



where \\A\\-^ = V A^A. It is invariant under unitary operations on the inputs and cannot increase 
under trace preserving quantum operations. In particular, if a measurement A^ yields outcome k 
with probability for p and Sk for a, then the trace distance bounds the variational distance of 
the two distributions 

D{p,a)>lJ2\''k-^k\. (A2) 

k 

Moreover, the trace distance is the largest probability difference the two states p and a could assign 
to the same measurement outcome A, 

^(p,^) =maxTr[A(p-cj)], < A < 1. (A3) 

Therefore, if the trace distance between p and a is small, they behave nearly identically under all 
measurements. 

Meanwhile, the fidelity F{p, a) is defined by 

F{p,a) = \\^V^\\^, (A4) 

and it, too, is invariant under unitary operations on the inputs and monotonic under trace preserv- 
ing quantum operations, in this case increasing. By Uhlmann's theorem the fidelity of two mixed 
states is related to the fidelity of their purifications. If It/j)^^' is a purification of p*^ and likewise 
\(p)^^ is a purification of cj'^, then 

F{p, a) = max F{\^f^ , {1^ U^) (A5) 

= max{iP\^^(l'^0U^)\^f^, (A6) 

IJR 

for a unitary on the purifying system R. If this purifying system is different for the two states, 
say I'lp)'^^-^ and \ip)^^^, then the maximization is instead over partial isometrics JJ^^^^^ taking 
R2 to Ri. 

The trace distance and fidelity are essentially equivalent measures of closeness of two quantum 
states, via 



l-Fip,a)<Dip,a) < ^/l-F{p,a)^. (A7) 
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Appendix B: Smooth Entropies 

The smooth min- and max-entropies were first introduced by Renner & Wolf for the classical 
case , in order to characterize information processing protocols beyond the usual asymptotic 
i.i.d. scenario to cases where the input random variables or channels are essentially structure 



They were subsequently extended to the quantum case by Renner [1^ and Renner & Koni, 
and have undergone several additional refinements. Here we follow the definitions given in [2C|. 
First, the conditional min-entropy for a state p^^ is defined by 

H^^{A\B)p ^ max (- log A„,i„(p^^, a^)) , (Bl) 

with Amin(/o^^) c^)= min I A : < Al"^ (8)(7^}. Dual to the conditional min-entropy is the con- 
ditional max-entropy, defined by 

= max 21ogF(/^,l^®a^). (B2) 

The two are dual in the sense that, for p^^'^ a pure state, R^^-JyA\B)p = —H^^^{A\C)p 0|. 

Each of these entropies can be smoothed by considering states p'^^ in the e-neighborhood of 
p^^ , defined using the purification distance P{p,a) = y^l — F{p, pY, 

B,{p)^{-p:P{p,a)<e}. (B3) 

Note that the purification distance is essentially equivalent to the trace distance, due to the bounds 
D{p, a) < P{p, a) < v^2L>(p,o-), which are just a reformulation of lA7[ The smoothed entropies are 
then given by 

H^^-MB)p ^ max H^-MB)p, (B4) 
H'r..AA\B)p = min H^,^{A\B)p. (B5) 

Furthermore, the dual of H^;^^\B)p is H^:^^{A\C) p, so that taking the dual and smoothing can 
be performed in either order [20|j. 



Appendix C: CSS Stabilizer Formalism 

The stabilizer formalism developed by Gottesman [3] in the context of quantum error-correction 
is perfectly suited to describing the effects of applying linear functions to the complementary 
observables and Z"^. In fact, here we will only need a subset of these results, for so-called 
Calderbank-Shor-Steane (CSS) stabilizers. Here we give an exceedingly brief overview; for more 
details see 



For simplicity, fix d = 2; the resulting statements actually apply for any d which is a power 
of a prime number. Starting with a collection yl of n 2-dimensional quantum systems Ai, . . . An, 
suppose we would like to apply a linear function / : {0, 1}" — )• {0, 1}™" to the result z of measuring 
each system Ai in the Z basis. Since the function is linear, each output bit is the result of computing 
the inner product of z with a fixed binary string hj, f{z)j = z ■ hj. But then the jth output bit 
is nothing other than the result of measuring the operator Z^^ = Z^^'^ ■ ■ ■ Z^^'", where hj^k is 
the kth component of the vector hj. As much holds for X by Fourier symmetry. 
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It can be shown that given m hnearly independent vectors hj, the resulting (commuting) opera- 
tors stabilize a subspace of dimension 2^, with k = n — m, meaning that there exist 2^ hnearly 
independent common eigenvectors of the set. Therefore, a basis for the space F2 translates into 
a basis for the space C^" and the operators Z^J form a complete set of commuting observables, 
to use language more familiar in quantum mechanics. Any basis will do, and indeed the usual 
decomposition of C^" as n copies of just corresponds to the basis of vectors defined by 
components ej^k = Sj,k- 

Moreover, the algebra of F2 carries over into the commutation relations between X-type stabi- 
lizers and Z-type stabilizers. Since XZ = —ZX, it follows immediately that 

This condition can be used to define encoded qubits and corresponding anticommuting encoded 
X and Z operators. The X and Z operators of the physical qubits are such that each Z^^ anti- 
commutes with just one of the X'^'' , namely j = k, and commutes with all the others. This can be 
extended to an arbitrary basis hj by finding its dual basis for which gj ■ = 6j^k. Each pair 
(gj, hj) then corresponds to a pair of encoded {X, Z) operators. 

Suppose /(z) is a linear function for which the corresponding set of vectors {hj}jLi is linearly 
independent. This set we can take as defining a basis for the corresponding subspace in F2', and 
this basis can be completed by finding a basis of n — m vectors {hj}"^^^^ for the complementary 
subspace. The complementary basis defines its own function, f±. Since together / and f±_ make 
up an invertible function (the associated matrix is invertible), a string z can just as well be char- 
acterized by the pair (/(z), /_l(z)). Calling these outputs z = /(z) and z = /±(z), respectively, we 
can regard z as a function of the pair (z, z). 

The stabilizer construction allows us to apply this transformation to the state vectors of the 
n qubits as well, meaning that we can relabel the basis states |z) ~ |z,z). That is, using the 
stabilizers we can perform F2 arithmetic inside the kets in a meaningful way. And it respects the 
tensor product as well, meaning for a system ^ of n qubits we can use the collection of encoded 
operators for / to define a subsystem A and those for f± to define a subsystem A, so that together 
Ha = T-La ® H^. Or, more compactly, A = AA. 

Finally, we can now see that this formalism controls the back action from applying / on Z"^ to 
the complementary operators X^ . In the above decomposition of A into A and A, we are still free 
to switch to the complementary basis in either subsystem, and in doing so we go from / {f±) to g 
{g±). If we convert A to the X basis, then the resulting basis describes the possible simultaneous 
/(z) and ^^(x) outputs, even though x and z do not exist simultaneously. 
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